Observations of a Digitally Enlightened Mind

The Art of Security and Why Security Vendors are the Root of All Internet Evil

I was reading a book entitled “A Whole New Mind: Why Right-Brainers Will Rule the Future”, it isn’t terribly well written and has the flow of an idea that was shoe-horned into a literary context, but interesting none the less. Anyway against the backdrop of DNSgate (btw – exploit code has been posted – here – thanks guys!) and the complete and utter failure of the security industry to offer anything beyond a never-ending hamster wheel of suites, widgets, add-ons, and modules, the book gave me pause as I reflected on what, for the most part, is a feeling of defeat and despair among security professionals.

This is a feeling that ebbs and flows with the conference season and peaks generally around mid-year with the introduction of clever methods of attack and exploitation presented in the carnival like atmosphere of a Blackhat or *con.

“Come one, come all, see the bearded lady swallow a flaming sword whilst revealing the latest virtual exploit guaranteed to introduce a completely undetectable malicious hypervisor as she rides on the shoulders of the worlds strongest man, who will devastate the entire Internet infrastructure in 10 seconds with a single finger”

Undetectable hyper-visors? 10 seconds to Internet destruction? 1,001 ways to craft a nefarious browser attack? Conceptually these are pretty scary, especially if you are reading your email and Robert Graham singles you out during one of his side-jacking presentations and shows the world how easy it is to own you and how careless you are for being owned – you wall of sheep know who you are – honestly who wouldn’t want to throw in the towel and acquiesce internet dominance to a 15 year old svelte Norwegian hacker with a bad skin condition or a gang of Nigerian spammers.

It would appear that doing business on the internet is like Dom Deluise swimming naked through shark-infested waters with an open wound while wearing a necklace of dead penguins and carrying a 3 lb salami.

It has been argued time and again that the bad-guys have the advantage, that we are on the losing side of the OODA loop, that for the most part we are simply sitting ducks and the best we can do is choose to not sit so close to the gaping jaws of a large crocodile and pray that we do not become prey. I contend that feeling is misguided and incorrect.

Although it has either been lost as inconsequential or we have been so blinded by the constant carpet-bombing of FUD marketing and the ongoing orgy of disclosure that we are simply numb to it, but we have an inherent advantage in that we use the right side of our brains, whereas the bad guys really have no need to, we are clever, we use art with science, we are driven to find the edge cases, we strive to find the unique and obscure – we believe it is the other way around, but that is a result of the complete incompetence of the major security vendors, who like the Diabetes product vendors, will forever keep us in a never-ending cycle of finger-pricking and insulin injecting security practices instead of actually trying to solve problems.

Wait, what, we have the advantage? I know it sounds like security blasphemy, but don’t jump off the roller-coaster of semi-rational fun just yet, we still need to ride through the loop de loop.

The majority of ground breaking security research and discoveries, especially of the “holy shit” variety, come from the good guys, not the bad

According to the recent Verizon breach disclosure statistics 85% of attacks are opportunistic, which leads one to believe that a. there is no reason for bad guys to find unique ways to exploit and b. we are still our own worst enemy.

There is no end in sight for the lack of security prowess ensuring an endless supply of easy targets for the bad guys to attack – remember if we believe that attacks are becoming more financially motivated then there is a cost-benefit analysis that will drive an attacker to take the easiest, least risky path to exploit.

The internet is resilient, business is even more so, and the good guys tend to spend more time on the problem than the bad guys.

You may be right, but I would contend that we do have one method of determining the extent to which the bad guys are discovering and researching security exploits and that is their use in the wild, of course one cannot prove that lack of use equates to non-existence but what other metric would we use? take a similar scenario with Nuclear weapons and Al Qaeda – can we reasonably expect that they have them or not? How would we know?

I would exclude state-sponsored cyber-terrorism here though, I think most would agree that there is a level of sophistication that is used by these folks that is far beyond the run of the mill attackers the majority of business will encounter.

Your last two points can be summarized by the old joke about the hikers who cross paths with a grizzly bear. The first hiker immediately takes off his hiking boots and puts on his running shoes. The second hiker: “why are you doing that – you can’t outrun the bear”. First hiker: “I don’t need to outrun the bear, I only need to outrun you.”.

In a sense, yes, if hacking today is focused on profit rather than challenge or ego, as perhaps it once was, our goal now needs to be to outrun the other hikers, not the bear. Fortunately, as you indicate, there is a limitless supply of slow hikers (incompetent developers, sysadmins). All we need to do is run faster than them.

“The majority of ground breaking security research and discoveries, especially of the “holy shit” variety, come from the good guys, not the bad”

This is a false statement, if I ever saw one. In fact, it is my personal belief that the “whitehat” security industry is doomed to either reinvent or “buy” (iDefense anyone? Is your friendly security consultant a “blackhat”) “know-how” from the “blackhat” community (please pardon the archaic terminology used 🙂 ).

Furthermore, you reply:

“You may be right, but I would contend that we do have one method of determining the extent to which the bad guys are discovering and researching security exploits and that is their use in the wild, of course one cannot prove that lack of use equates to non-existence but what other metric would we use? take a similar scenario with Nuclear weapons and Al Qaeda – can we reasonably expect that they have them or not? How would we know?”

I disagree with this one on the following counts:
* creating a nuclear weapon not only requires knowledge but access to materials as well. Creating a 0-day exploit requires just knowledge and time, not highly controlled materials.
* like the majority of the security industry (Bruce Schneier and Ross Anderson excluded) you associate security with the all too common “hit-and-run” attacks. However, this is only an aspect of a multi-faceted problem. I would wager that if a highly skilled attacker (or a group of them) targets someone then that someone will be none the wiser. So, if the source of information is along the lines of “we have found only 2-3 0h-days this month in our super duper honeypots” or the usual public release exploit sites/mailing lists, then you have insufficient data to deduct a reasonable conclusion. I, for one, have seen the security industry lagging in several (in some extreme cases 5+ years) regarding vulnerabilities and exploitation techniques. From all the above I do not believe that your conclusions are accurate and that the security industry (and I am not talking about the snake-oil variety) is still lagging behind what is out there. Combine the fact that nowadays you cannot just pinpoint the advances in certain groups of individuals (as it used to be the case back in early 2000), owing to the fact that new “hacking” communities (with quite different objectives and methodologies) in non-western countries, and you have a seriously flawed intelligence model in your hands.

It is popular wisdom to assume that there is a elite force of eastern European or Chinese hackers that have access to a cadre of highly-advanced and unknown attack techniques – but they really don’t need them, they can exploit most organizations with the half-a decades old vulnerability.

Yes one can be owned and not know it, their machines compromised, their data stolen, etc – which is why I said “of course one cannot prove that lack of use equates to non-existence” – but if the attack has no material impact on the organization, neither inhibiting services, disrupting the user, or gaining access to sensitive information, then most organizations really don’t care if a piece of malware is slurping their employees bank data.

I would assume that there are several, if not dozens, of unknown, undetected, highly sophisticated attacks that occur daily, but statistically this is dwarfed by the millions of known, detected attacks that occur hourly.

For those about to comment and tell me how wrong I am, I would ask them to consider some observations

– We romanticize hackers almost in the same way we romanticize other criminals, like organized criminals, the truth is that organized crime, like the Italian mafia, is run by thugs, not terribly bright thugs, but clever enough to exploit weakness in society or people – this is not much different in the digital world

– What is the more difficult aspect of research; finding an unknown vulnerability or crafting an exploit against the vulnerability? Based on WHAT WE KNOW, there is a clear distinction between which groups focus on which areas

– Clearly there are highly intelligent people in both camps, but the reality isn’t what it appears when FUD is spread about the overwhelming and highly exotic digital weaponry available to the common hacker today

– Which group is more likely to create an OS? Develop a new computing paradigm, like virtualization? Define a standard protocol? Found a company and build it into an industry titan? Coordinate with hundreds of representatives from private and public sector?

– I think the reality is that today, we are still our own worst enemy, we are exploited not due to the exotic attacks, but due to our own incompetence and the incompetence of the security vendors in general

Am I wrong? Possibly, but I would like to see more than emotion or gut instinct to be used as proof.

Now, original the question you raised of the vendors – its quite simple. Just as the hiker needed to outrun the slower hikers, the security vendors are like the bears, they just need to outrun the other bears to catch the slowest hiker.

And before this turns into a rant, the same logic applies even to nature and natural selection. A surviving species doesn’t need to be perfect, it just needs to be a bit better then the competition.

So this logic won’t go away, just accept it and try to be better then the competition

#0 Vendors do not need to be ahead of the threat they only need to be ahead of the buyer

The goal of the security industry is not to secure, the goal of the security industry is to make money. I think we all know this conceptually, and even with the best intentions in our capitalistic society we must understand that security companies are motivated by profits. This isn’t necessarily a bad thing, but it should help to dispel the myth that security companies are smarter than hackers, they aren’t, they are just smarter than the buyers.

“The majority of ground breaking security research and discoveries, especially of the “holy shit” variety, come from the good guys, not the bad”

I am inclined to agree with you on that point, but only in the scope of public awareness being made for the sake of both credibility, legacy and of course prevention (reaction?).

In any case, it would be counter-productive for a miscreant to reveal his bag of tricks or else he would have to develop a new bag of tricks… so within that context, yes, I think it is safe to say that researchers of the whitehat variety will publish the more ground-breaking finds, whether or not its been found already by their darker counterpart.

Hello and thanks for the reply. While I am an IT Security professional, I still disagree with some of your views and I wish to provide a counterpoint. Without any further ado:

“It is popular wisdom to assume that there is a elite force of eastern European or Chinese hackers that have access to a cadre of highly-advanced and unknown attack techniques – but they really don’t need them, they can exploit most organizations with the half-a decades old vulnerability.”

I partially agree with you. When the old common attacks will fail, the hacker with the 0-day is the one that will prevail. To draw a military analogy, you will not be spending multi-million dollar ammunition, such as cruise missiles, when you can achieve the same effects with a good old artillery salvo 🙂 (unless you are the US Army and wanna do a military tech demo 🙂 ). However, having access to multi-million dollar weaponry is invaluable when it is really needed. I do not think that I need to explain this analogy any further.

“Yes one can be owned and not know it, their machines compromised, their data stolen, etc – which is why I said “of course one cannot prove that lack of use equates to non-existence” – but if the attack has no material impact on the organization, neither inhibiting services, disrupting the user, or gaining access to sensitive information, then most organizations really don’t care if a piece of malware is slurping their employees bank data.”

I agree on this one.

“I would assume that there are several, if not dozens, of unknown, undetected, highly sophisticated attacks that occur daily, but statistically this is dwarfed by the millions of known, detected attacks that occur hourly.”

From a technological viewpoint, its the dozens of new, highly sophisticated attacks that matter, not some age old automated exploit that targets win2k SP1 and IE 5. So we are back to the intentions vs capabilities analysis dilemma.

“- We romanticize hackers almost in the same way we romanticize other criminals, like organized criminals, the truth is that organized crime, like the Italian mafia, is run by thugs, not terribly bright thugs, but clever enough to exploit weakness in society or people – this is not much different in the digital world”

Culturally, the “hacker” has become a pop culture icon. I agree, the general public tends to romanticize hackers.

“- What is the more difficult aspect of research; finding an unknown vulnerability or crafting an exploit against the vulnerability? Based on WHAT WE KNOW, there is a clear distinction between which groups focus on which areas”

Nowadays, with all the OS built-in protections, finding a vulnerability is the easy part 🙂 Dave Aitel supports the notion that discovering a vulnerability might cost 10k, actually developing a working exploits it’s 10 times that.

“- Clearly there are highly intelligent people in both camps, but the reality isn’t what it appears when FUD is spread about the overwhelming and highly exotic digital weaponry available to the common hacker today”

The common hacker of today has a ton more tools, documentation and operates in a target-rich environment. However, this is somewhat offset by the security industry countermeasures. There is both FUD regarding attacker capabilities AND countermeasures (i.e. “snake oil”) from the security industry. So yes, there is a ton of FUD and overestimation of hacker capabilities, there is also a ton of underestimation of the so-called “script kiddies” from the “security kiddies”.

“- Which group is more likely to create an OS? Develop a new computing paradigm, like virtualization? Define a standard protocol? Found a company and build it into an industry titan? Coordinate with hundreds of representatives from private and public sector?”

You are now changing the question. It is a matter of time. As Schneier has said, quite often, the “hackers” of yesterday are today’s successful security advisors. This actually deserves a separate discussion.

“- I think the reality is that today, we are still our own worst enemy, we are exploited not due to the exotic attacks, but due to our own incompetence and the incompetence of the security vendors in general”

I wholeheartedly agree about the general level of incompetence (if not downright dishonesty) within the security industry, as I will agree that most corporate security incidents are due to human incompetence.

“Am I wrong? Possibly, but I would like to see more than emotion or gut instinct to be used as proof.”

Start collecting your own intelligence 🙂 It is amazing how limited intelligence capabilities are in your average security company (average security company as in “no snake oil merchants” but no gurus either). It is also amazing how stuff let’s say like the now public Debug Register Rootkit for x86 have been undetected for a number of years from the “mighty” security industry.

Thanks for the reply and your well thought out response. The security industry, or more appropriately the security vendors, are a complete failure, those who want to do malicious harm have little to no resistance from the vendors, and if that was all we measured than by anyone’s metrics we would be losing and losing badly – I think we all agree on that point.

Couple of comments:

“From a technological viewpoint, its the dozens of new, highly sophisticated attacks that matter, not some age old automated exploit that targets win2k SP1 and IE 5. So we are back to the intentions vs capabilities analysis dilemma.”

This is an interesting viewpoint, one that has been argued before in the context of the impact of zero day attacks on organizations. I would say that if one if vulnerable to an exploit that targets win2k SP1 and IE5 that company is just as impacted by that incident as it would be from a zero-day – not from a 1 to 1 perspective, but from the perspective of quantity of potential attacks, oh and sheer incompetence, so both matter equally

But if we are measuring impact we shouldn’t look at the attack, but the outcome, if a zero-day or targeted attack results in disruption of services, but a 6 year old privilege escalation results in loss of data then the latter is far more devastating.

“Nowadays, with all the OS built-in protections, finding a vulnerability is the easy part 🙂 Dave Aitel supports the notion that discovering a vulnerability might cost 10k, actually developing a working exploits it’s 10 times that.”

I think the recent Kaminsky/HD Moore instance would show that is a false assumption, now if you are referring to what one would pay for then yes, you can charge more for a working exploit than a working vulnerability, but the price one would pay does not reflect the skill or difficulty in either case.

“You are now changing the question. It is a matter of time. As Schneier has said, quite often, the “hackers” of yesterday are today’s successful security advisors. This actually deserves a separate discussion.”

I was referring to innovation, but you raise an interesting point, which is the transition from hacker to working stiff. If we look at risk/reward it would suggest that the majority of hackers, especially those in their teens, would migrate to professional security positions over time – and this is a pattern we have seen repeated over the past decade.

I agree that there is an underestimation of the skills of the hacking community, but I doubt anyone overestimates the skills of the vendors 🙂